Beware of misleading security information in Opera 8

In an effort to prevent phishing attacks, Opera 8 has added a security field to the address bar, which displays some information about secure sites.

Security background
For a site to be considered a “secured site”, it must receive a digital certificate from a trusted organization, such as Verisign, that certifies it as being secure.

The security field, in Opera, currently contains the “Organization” name and the “Country” field from the certificate. Here is a screenshot of Opera’s security field.

The vulnerability
The name of the organization can be easily faked on the certificate. Thus, the organization name displayed in the browser will deceive users.

For example, if some malicious person gets a digital certificate for his own site, but registers the certificate with the organization name of “Paypal, Inc”. He can then use some common methods to get the URL and page content to look similar to the real paypal.com and will have the name “Paypal, Inc.” in the security field to back him up. Visitors to the site will be tricked into thinking that it is the real paypal.com. This is otherwise known as “phishing”.

Phishing attacks are the largest growing class of attacks on the internet today. In fact, presenting certificate information like this potentially opens up a large new hole for phishers to target.

This is not a vulnerability with Opera, per se. It is an issue with how digital certificates are obtained.

Opera’s response
This deceptive use of the “Organization” field of digital certificates is well known to Opera.

The security field “will help raise users’ awareness of certificates”, wrote Opera in a security advisory. “When visiting a secure site, the user has to make an informed choice before entering any sensitive information: Is it the right site? And is it trustworthy? If either the domain name or the Organization field look wrong, it calls for closer scrutiny from the user.”